Could It Be... SATAN?

In recent weeks, there's been heaps of hype and controversy on the nets and in mainstream media surrounding a Unix security tool called SATAN. I've been cautioned against writing an article about it on the grounds that the article would fuel the fires of confusion and misinformation about SATAN. However, in the wake of the arrest of Kevin Mitnick (a widely-renowned computer cracker who, among other things, recently grabbed twenty thousand credit card numbers from Netcom - leading one to wonder why Netcom would leave such sensitive information on a machine connected to anything), I've noticed a growing popular paranoia about Internet security. The message seems to be a) the Internet is not a safe place, b) people on the Internet are intent on damaging you and your computer, and c) their next weapon is SATAN.

What Is It? The name SATAN is an acronym for Security Analysis Tool for Auditing Networks. SATAN gathers information about machines, networks, and remote hosts by examining a number of Internet and Unix services, looking for potential problems and known security loopholes. SATAN is being written by Dan Farmer and Wietse Venema, two well-established members of the Unix security community, in their spare time. SATAN is born of the philosophy that as computer systems are increasingly networked, they become more vulnerable to attack from those networks. The idea for SATAN was first proposed by Dan and Wietse in a paper called "How to Improve the Security of Your Site by Breaking Into It," originally posted in December, 1993.

Using SATAN requires root access to a Unix machine on a network - a privilege enjoyed by few Internet users - and presently SATAN only runs under SunOS and Irix. So why all the hype? Unlike other Unix security tools, the authors intend to publicly release SATAN to the general Internet community as early as 05-Apr-95, and a beta version of SATAN is out there now. SATAN makes system and network information - often obtainable only through careful, knowledgeable, and often painstaking work - available in one consistent, easy-to-download package. And this makes some people who have critical information on their networked systems-like credit card numbers or trade secrets - very nervous.

According to early reports, SATAN works. Users of early releases indicate SATAN accurately finds potential and possibly unknown problems on networks with as few as eight or ten systems. The bigger and more complex a network becomes, the more likely SATAN will find potential security problems.

Sign Right Here, Mr. Jones -- So why is SATAN bad? According to some, SATAN will unleash hordes of crackers and wannabe crackers on the Internet, many of whom will take down systems and networks with impunity. One Kevin Mitnick was bad enough: imagine a thousand or more, all armed with the latest in security analysis software.

SATAN's creators have certainly heard their share of this argument. Their standing as members of the Unix security community has kept them from being completely vilified in the popular press - but only barely. SATAN's documentation even says "at least one of the authors has had his job threatened." Some security experts have been quoted as saying that all copies of SATAN should be destroyed, and I've read rumors of possible legal action in the event SATAN is released.

However, there's another side to that line of reasoning: maybe SATAN just lets the security experts keep up with the Joneses.

Think about it: imagine that you're a sociopathic, wizard cracker with a grudge against the entire Internet - just for the sake of argument. You pick some obvious targets: government agencies, military computers, sites conducting online commerce, computer companies, research centers, and maybe - to show off a little - the personal machines of some net security people. Just to let them know who's boss.

Now, despite your obvious and considerable genius, cracking into systems undetected is sometimes a tricky thing to do. When you find a trick that works more often than not, you make yourself a tool that does the trick for you. Maybe it's a script that exploits a flaw in a particular version of sendmail, or maybe it's a program that helps simulate a "trusted" machine. Whatever - it's cool and it saves you time. When you meet other crackers and start one-upping each other with feats of deviousness heretofore unknown to the networked world, eventually you start trading tools.

One result of all this back-room trading is that sophisticated crackers already have tools that do what SATAN does - and more - and they've had them for a long time. In terms of sheer capability, SATAN does little to help or hinder intruders of this caliber. "Keeping out the real Mitnicks is hard enough even for real security experts," Wietse points out. "SATAN is a tool to help systems administrators to keep a large class of intruders out." Those intruders are casual crackers who know enough to exploit common weaknesses, but not enough to develop sophisticated tools.

Sympathy for the Devil -- If a line were to be drawn as to what constituted a "tool" and a "weapon" on the nets, where would that line be? All too often, system break-ins are the result of weak passwords rather than sophisticated break-in techniques. Finger, a common program in the Unix world, can reveal copious amounts of information about a machine if applied systematically, including a machine's disk structure, account names, and hosts users commonly connect from. This information can be (and has been) used to assist break-in attempts, and therefore Finger might reasonably be defined as a "weapon." Should the distribution of Finger be restricted?

Similarly, SATAN is a piece of software that provides information. Let's face it: if SATAN wanted to be the Program From Hell, it wouldn't stop at identifying problems: it would exploit them. Contrary to much of the popular press, SATAN does not directly attack other computer systems, although some of its scanning activities should set off alerts on remote systems being investigated. The information SATAN collects is already available to anyone with the right knowledge and significant access to the network being examined; similarly, the problems SATAN identifies are well-known and often the subject of CERT and CIAC security advisories. You could think of SATAN as a tool intended to raise the minimum standards of network security high enough that the majority of would-be intruders are kept out. Ironically, despite the current gnashing of teeth, SATAN arguably has the potential to make the Internet a more secure place than it is now, in large part because cracking machines is often a domino process - crack into one, and another one becomes easier to break into.

SATAN's authors are straightforward about the potentials of their program. "Not only is it an unfriendly idea to run SATAN against a remote site without permission, it is probably illegal as well. Do yourself and the rest of the Internet a favor and don't do it! While we don't know of anyone being charged with a crime or sued because they ran a security tool against someone else, SATAN could change that."

The current media hype about SATAN might best be summarized as members of the press and the online community being all too aware that what they don't know can hurt them. However, the bottom line is that even if your Mac is connected to the Internet and probed by SATAN, you're unlikely to notice, and even less likely to suffer for it. Internet providers and users of networks with Unix machines connected to the Internet might wish to stay abreast of SATAN's development and release schedule - just in case. The official SATAN release page is a good place to check, as are the <comp.security.unix> and <comp.security.misc> newsgroups. SATAN's developers can be reached at <satan@fish.com>.